X-Git-Url: https://git.proxmox.com/?p=pve-qemu-kvm.git;a=blobdiff_plain;f=debian%2Fpatches%2Fextra%2FCVE-2016-10028-display-virtio-gpu-3d-check-virgl-capabilities-max_s.patch;fp=debian%2Fpatches%2Fextra%2FCVE-2016-10028-display-virtio-gpu-3d-check-virgl-capabilities-max_s.patch;h=0000000000000000000000000000000000000000;hp=19e759962f86582eaf1cef0954638d1a3a4406ad;hb=1a91ab45b7b886b5a4d2b12a559e4b239eccceed;hpb=e9748910af967b15cce8c312fc50589065fca911

diff --git a/debian/patches/extra/CVE-2016-10028-display-virtio-gpu-3d-check-virgl-capabilities-max_s.patch b/debian/patches/extra/CVE-2016-10028-display-virtio-gpu-3d-check-virgl-capabilities-max_s.patch
deleted file mode 100644
index 19e7599..0000000
--- a/debian/patches/extra/CVE-2016-10028-display-virtio-gpu-3d-check-virgl-capabilities-max_s.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From b891912de9c0ef615955fccc043915eb36ce3c02 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Wed, 14 Dec 2016 12:31:56 +0530
-Subject: [PATCH 2/8] display: virtio-gpu-3d: check virgl capabilities max_size
-
-Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
-command, retrieves the maximum capabilities size to fill in the
-response object. It continues to fill in capabilities even if
-retrieved 'max_size' is zero(0), thus resulting in OOB access.
-Add check to avoid it.
-
-Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-id: 20161214070156.23368-1-ppandit@redhat.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
-
-Notes:
-    CVE-2016-10028
-
- hw/display/virtio-gpu-3d.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
-index d98b140..cdd03a4 100644
---- a/hw/display/virtio-gpu-3d.c
-+++ b/hw/display/virtio-gpu-3d.c
-@@ -371,8 +371,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
- 
-     virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
-                                &max_size);
--    resp = g_malloc0(sizeof(*resp) + max_size);
-+    if (!max_size) {
-+        cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
-+        return;
-+    }
- 
-+    resp = g_malloc0(sizeof(*resp) + max_size);
-     resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
-     virgl_renderer_fill_caps(gc.capset_id,
-                              gc.capset_version,
--- 
-2.1.4
-